NetFlow version 5 and version 9 are commonly used nowadays so this part will show how to configure NetFlow in version 5 and 9. We only show the minimum configuration to help NetFlow work well.
Configure NetFlow version 5
The following configuration enables NetFlow version 5 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.
Router(config-if)#ip route-cache flow
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.
+ NetFlow version 5 can inspect inbound traffic only.
+ We can use either the command “ip route-cache flow” or “ip flow ingress” in this case. The former will enable flows on the physical interface and all sub-interfaces associated with it while the latter can be used on sub-interfaces and will enable flows on sub-interfaces only.
+ The last command “ip flow-cache timeout active 1” is necessary for NetFlow to work well. If you leave it at the default of 30 minutes your traffic reports will have spikes.
Configure NetFlow version 9
To configure NetFlow version 9 (Flexible NetFlow), we need to configure three components:
1. Flow Record
2. Flow Exporter
3. Flow Monitor
The following configuration enables NetFlow version 9 on Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on UDP port 2055.
1. Configure the Flow Record:
2. Configure the Exporter:
3. Configure the Flow Monitor
4. Apply to an interface
Small note: CEF should be enabled on the NetFlow Exporter router when running NetFlow. CEF decides through which interface traffic is exiting the router. Any NetFlow Collector will calculate the OUT traffic for an interface based on the Destination Interface value present in the NetFlow packets exported from the NetFlow Exporter. If the CEF is disabled on this router, the exported NetFlow packets will have “Destination interface” as “null” and this leads NetFlow Collector to show no OUT traffic for the interfaces.
After finishing configuration, we may need some commands to verify and troubleshoot our NetFlow configuration. Some popular commands used to check the NetFlow operation are listed below:
+ show ip cache flow: display a summary of the NetFlow accounting statistics. The output of this command has been showed above
+ show ip flow export: display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches
Router# show ip flow export Flow export v5 is enabled for main cache Exporting flows to 10.1.1.1 (2055) Exporting using source interface FastEthernet0/2 Version 5 flow records 39676332 flows exported in 1440719 udp datagrams 0 flows failed due to lack of export packet 153 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures
+ “show ip flow interface”: displays NetFlow accounting configuration on interfaces
R2# show ip flow interface FastEthernet0/0 ip route-cache flow
+ show ip flow top-talkers: show which end devices on your network are taking up the most bandwidth
Router# show ip flow top-talkers SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes Et0/1 184.108.40.206 Local 192.168.1.254 01 0000 0000 4800 Et0/2 220.127.116.11 Local 192.168.1.254 01 0000 0000 4800 Et0/3 18.104.22.168 Local 192.168.1.254 01 0000 0000 3400